jwz @jwz@mastodon.social
Public

Taking a stroll through my spam folder, I saw a bunch of legitimate messages from people and companies with their own domains, that are not publishing DMARC and SPF records. Surely everyone (and by everyone I mean Google) is rejecting their mail? How do they not realize this?

Then I noticed that one of them was received *from* gmail, so their mail probably works fine so long as they only mail gmail users. But another was via Yahoo, so that doesn't track.
jwz.org/b/ykk8

DMARC and SPF

Taking a stroll through my spam folder, I saw a bunch of legitimate messages from people and companies with their own domains, that are not publishing DMARC and SPF records. Surely everyone (and by everyone I mean Google) is rejecting their mail? How do they not realize this? Then I noticed that one of them was received from gmail, so their mail probably works fine so long as they only mail ...

www.jwz.org

Link author: jwz@jwz@mastodon.social

πŸ†˜Bill Cole πŸ‡ΊπŸ‡¦ @grumpybozo@toad.social
Public

@jwz The stats we collect for the project (mass-scan results from participating sites) have long shown that spammers are more consistent at making SPF, DKIM, and DMARC correct than are legitimate senders. DMARC in particular has no discernible benefit for most senders, so it is a useless signal.

Rejecting mail based solely on authentication failures of those deeply flawed authentication methods does more harm than good.

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://toad.social/users/grumpybozo/statuses/114213600922816869 on your instance and quote it. (Note that quoting is not supported in Mastodon.)